ok, sometimes an open port is just an open port to an open service. But you won't know unless you take a look. So port 80 is up, well that's a website most likely. Check it out. May throw the IP into a whois (not for a private but if you were scanning a public range). See if it goes back to a site, maybe see if any other records are registered to that same IP. Now as for finding ports like 21 or 22 open.. Well both of these are some form of remote access. They could be a direct in to the environment and may be pretty open.

Port 21, FTP, hmmm do they accept anonymous access? If so what can I see as an anonymous user when I connect?

port 22, SSH, can it be brute-forced? were there any possible hints to usernames on the website? Maybe some email addresses? Maybe those recipient names are the same as network user IDs? Hmmm write those down for later. That is where hydra will come in. Once I get into SSH, do I have elevated privileges? Can I sudo up? Can I find some interesting files that may lead me to root?

Many people believe root is the key to the pen test, but actually root just helps you get further in. Your ultimate goal is to show you were able to retrieve and exfiltrate critical data such as PHI, PII, PCI, IP or other types of juicy data.

Now back to the accessible websites, you can go further than just recon. You can spider site (with a tool like Burp Suite or manually) to look for possible vulnerable sections. Is it vulnerable to cross-site scripting or SQLi? Is the site running on IIS or Apache? Any other types of plug-ins or 3rd party apps running on the site? Basically, can I use the site as a jump point or a way to get more user information?

Thanks for that reply. It provides some awesome info. Especially about the ftp. I forgot about the ability to log into that as an unclaimed user,

Ok, so i tried to use the hackerdemia live cd to learn hydra but even the new live cd of hackerdemia is still missing the hydra tutorial. is there a fix for that soon?

Some of the other stuff you mentioned i am unfamilular with such as the sql injection stuff. I have never used sql. I think i need to finish the HPTF(thomas willhelms course) course first. haha before moving into more complicated stuff.

FYI, in case your not sure what i mean by HPTF course. Thomas willhil has made courses to teach this stuff using the de-ice. i started last night. I found my dvd from his book that has the ISSAF course.

Anyway, Back to topic. I was along the same thinking that an open port is just an open port. But ones such as ssh or ftp, that means a user can log in. BUT i do not have the user name or password. I assume my goal is to find a stupid mistake by someone(not stupid but un-logical) and that my give me a password.

Im not sure how much can be done on the lvl 1 disk but i hope i can find the company picnic pictures. I want to see htem getting attacked. haha. But the other interesting thing on the site:

"We hope that Marie M. has a speedy recovery - flowers and cards can be sent to the North Annex of "Our Lady of Unfortunate Demise, Hospital and Backhoe Rental". We will post pictures of the picnic soon, so check back later"

I see the backhoe rental hint and wonder if i can grab peoples financial data from the rental records. IF the backhoe page does exist. Is there a way to see what other webpages they may have? IE an site map so i can see what other pages they have.

Ill do some more digging but im not sure what has been thought of in the lvl 1 disk so im not to sure what can be done and what cant be done.

Thanks for the help. Time to make a list of names and find that dang hackerdemia live cd tutorial.

EDIT. well, i guess emailing the names from gmail aint a good idea. I was guessing that it would come back as a bad address BUT i was hoping the email address adamsa@herot.net actually worked and maybe be able to get a reply from it. nope. oh well.

Last edited by LT72884 on Fri Jul 27, 2012 12:08 pm, edited 1 time in total.

If you need a tutorial for hydra, you don't have to depend on the course material to provide it, just look for it on Google. It's a well known program and there are plenty of tutorials out there. You can even test it on one of your own machines to get familiar with it.

Open ports like ftp don't necessarily mean that there are weak passwords. It could also be a service that's vulnerable to an exploit. If you're looking for usernames, you typically need a list of employee names and you can generate your list of usernames from there.

If you're interested in looking for hidden files or directories on the webserver, you can use dirb and DirBuster. You give them a wordlist and they'll start probing the server and let you know if they find anything. Nikto is another great tool for identifying vulnerabilities and interesting files on a webserver.

Any emails you find in those built in sites are probably not active but may be worth noting for another use. Like... I dunno, creating a username list for a potential brute-force attack on some open service port that allows logons.

And Shadow makes a good point. You are not limited to using only the tools provided on the DVD, some of the material is old and has not been maintained. In fact the author has moved most of the material to hackingdojo I believe. So further in the book you go, you may need to hunt down tools to assist you further. One version of BT I had didn't have any of the wordlists for Hydra to use, so I had to hunt them down from the net. Found a number of even more useful lists as well.

Also go google SQLi and do a quick read on it to understand it. It is certainly worth knowing about it since it has been used in a number of high-profile breaches. LulzSec and Anonymous used it for many of their attacks.

cyber.spirit wrote:For the ftp service try to crack the user and pass with ncrack. In back track open the terminal and type:Ncrack -- v (user) (target ip address):(port which is 21 in this case)

ah, thank you. i will read up on ncrack to see what switches are doing. Does ncrack actaully crack the password sorta like hydra?

thanks guys. here is how i am doing this project. I hope you dont mind me telling you but i want to let you know my metho of doing things just in case some one can benifit from it. Plus you have answered my questions and i feel that i need to make sure your info is put to good use

my plan of attack:watch the videos from my dvd course i purchased from thomas and take notestake notes on the slides from the moviedocument my notes from the movie and slides in a word fileread the required pages he has posted in the course ISSAF .2.1.b (13-61,87-169)highlight the ISSAF reading and document the highlighted sectionsThen any tools he/ethicalhacker.net discuses, write small one paragraph summaries for what i find and what they do to each device including time stamps.take screen shoots(if i remember)Follow the examples thomas and you guys show me for de-ice and document those examples in my word file.take all the documentation including summaries of the ISSAF reading notes and create a technical report that i can give to someone for review.

Ncrack is not a complete password cracker actually its a credential finder. Hydra and brutus is an advanced pass cracker u can perform brute force attack and so on.

But ncrack is so fast. The first step is finding a valid username u cant perform pass cracking without it no matter what u use ncrack or hydra and sometimes pass cracking cant help u in these cases u must exploit the machine

Last edited by cyber.spirit on Tue Jul 31, 2012 1:32 pm, edited 1 time in total.

cyber.spirit wrote:And the pro penetration test creating and operating a formal hacking lab dvd is great go further and futher man dont miss practice take care

Awesome. I am hoping the courses on teh dvd are going to help me complete at least level one. I tried reading the book first but got lost in some of the material for the actual pen test when he starts using other things. I then realized, the book is not what walks you trough the de-ice scenes, its the dvd. The book is just extra info that can be used to suppliment the dvd course. So i am doing the dvd courses first and then reading the book to get the more in depth info.

@ shadow zero, thanks for the link of comparison. I will read up on those and once im in a state of understanding it, i wil use them.

last minute question. i notice in the dvd lectures thomas always says to practice against de-ice1.101. i do not and can not find de-ice 1.101. i can find 1.110 but not 1.101.

3xban wrote:If memory serves, there was a 101.1, I have the labs at home and can take a peak later on. There are some things that may no longer be valid since he has moved some of his material to HackingDojo.

awesome. yeah some things must have changed because in the video his nmap scan of 1.100 shows port 25 open. mine is closed. he creates a telnet session to port 25 to grab banners. haha.